In recent years, cyber attackers have been improving their attack methods to steal personal and confidential information. Cellopoint recently detected a new type of phishing attack, which is called voicemail phishing. In this article, we will introduce the tactics behind voicemail phishing attacks and analyze the malicious email intercepted by Cellopoint.
Phishing Emails Masquerading as Voicemail Notifications
Voicemail phishing refers to a type of phishing attack where an attacker uses a phishing email disguised as a voicemail notification to lure a recipient into clicking the buttons or links in the email, leading him/her to a carefully crafted phishing website designed to save the personal information entered by the recipient.
In the case of the voicemail phishing email to be analyzed in this article, if the recipient clicks on the button in the email, he/she will be asked to enter the email address and password to log in to get the voice message. Once the recipient follows the instructions and gives away his/her email address and password, the credentials will be successfully stolen by the scammer.
A Meticulously Crafted Voicemail Phishing Email
The image below shows a real voicemail phishing email recently intercepted by Cellopoint. At first glance, it appears to be a typical voicemail notification, providing details about the voice message in the email content. Recipients might easily click the "Play Voice Message" button without suspicion.
However, some red flags can be immediately noticed from the basic information of the email. Firstly, the sender "email@example.com” is from an unfamiliar address. Regular users typically do not use such long and alphanumeric email addresses. Additionally, the sender’s domain is meaningless and does not reveal any information about the sender’s organization.
The next abnormality is the email subject "New-Voוcemail from WוRELESS CALLER on Friday, December 1, 2023 - 9:46:52 AM.” The text composition of the subject is unusual, with a mixture of special characters and inconsistent upper- and lower-case letters, attempting to evade malicious email keyword detection mechanisms.
If the recipient clicks on the "Play Voice Message" button in the email, the website will initially display a dynamic icon saying "Authenticating…" (as shown in the image below), and then redirect the recipient to a carefully crafted phishing webpage."
Let’s have a deeper look at the design of the phishing website. The attacker adds a fake authentication image fetched from external sources in the HTML body and uses HTML refresh mechanism to redirect the recipient to the target phishing page automatically right after 3 seconds.
Furthermore, this target phishing webpage's layout is sophisticated. The attacker uses a legitimate credential issued by Let's Encrypt and a valid website name dweb.link (as shown in the image below) to create the website.
The scammer aims to use a valid certificate to prevent the recipient from receiving security warning messages when accessing the phishing page, making it look like a legitimate and trustworthy website. However, upon careful consideration, it becomes apparent that even though the webpage uses a legitimate certificate and seems to come from a valid domain, the domain is in fact not the domain of the recipient's organization. This is an attempt to use legitimacy to cover up illegal means.
Another crafty design of this phishing email is that the phishing webpage automatically includes the logo of the recipient's organization, making the recipient mistakenly believe that the email does come from his/her organization. Additionally, the webpage automatically displays the recipient's email account and then requests the corresponding password, deliberately leading the recipient to enter his/her email account password.
From the image above, we further observe that the URL path of the phishing webpage automatically includes the recipient's email address. We also find that the phisher has designed the webpage to automatically fetch the organizational logo of the recipient's email domain and display it in the login window, intending to increase credibility to lure the recipient into providing his/her email account password. And when we try to change the domain in the URL to the domain of another well-known company, the webpage also automatically includes the logo of that company (as shown in the image below). Therefore, this is a cleverly orchestrated deception, as this phishing webpage can automatically display the organizational logo of the target, regardless of which organization's email account the email is sent to.
Cellopoint Email Security Solution Effectively Protects Your Email
Faced with such sophisticated and crafty phishing emails, there are countermeasures from Cellopoint available. Cellopoint’s Email Threat Protection includes the Anti-spam module which will detect patterns of such malicious emails and perform a comprehensive assessment using mechanisms such as IP detection and reputation scoring. Therefore, if an email is from an unfamiliar IP and contains unknown URLs, it will be identified as a phishing email with high risk and be intercepted by the Anti-spam module.
Furthermore, since this email was not sent in bulk, it can be inferred that the phisher's goal is to steal the email account passwords of specific individuals within the organization for further illegal activities. In the latest version of the Cellopoint Email Security Protection solution, a crucial reporting feature has been added known as the "HAPs Ranking." HAPs stands for Highly Attacked Persons, referring to the most frequently attacked individuals in an organization. Attackers often target specific individuals within a company or organization, and these highly attacked persons may be targeted due to factors such as their departments, authority, and access to corporate resources. Security administrators can find the information about the most frequently attacked accounts on the HAPs Ranking page. With the insights of HAPs, organizations can identify the accounts (individuals) most targeted and develop the corresponding security measure, such as strengthening the recipients' security awareness, limiting permissions, or increasing control intensity.
Finally, in an environment rife with malicious emails, recipients should remain vigilant to avoid falling victim. If you have never used the related service before, the email claiming to be from the service should be considered as a potential scam and be ignored. Even if you have used the service, you should be cautious. When receiving an email, first check if there are any abnormalities in the sender field and the email subject to avoid being deceived by false information in the email. Additionally, it is recommended to verify the authenticity of an email directly from official channels, such as logging into the official platforms or contacting customer services to confirm the existence of a new voice message. In conclusion, maintaining constant vigilance and avoiding opening or clicking on any seemingly unusual email attachments or links is the key to protecting your own information security.